WinGate Forums

[ChrisH]

Hello,

I utilize a wireless internet connection to my ISP and they use a VLAN to connect users and allocate IP addresses in the private range - 10.237.x.x . So my NIC connected to ISP is assigned an IP address, subnet mask and default gateway from the ISP's DHCP server. All internal LAN machines receive their IP's etc., from the WinGate DHCP server. However, the WG DHCP server is broadcasting it's availabilty to the other users on the VLAN. I am seeing, over time, the same outside users requesting service from WG DHCP. Now, I have restricted allocation only to internal NetBios names, but these requests keep coming in and show up as system messages with authentication failure. I have unchecked in ENS the "Support for multiple subnetworks" but no change. Stopping the DHCP service stops the requests from coming in. I have ver 5.0.7 on XP as WG server using 192.168.0.1 as static IP address. Only property that is checked on NIC to ISP is TCP/IP. Is this happening because of private IP addresses on ISP side? Or something else? Is there anything else I can do? It's not a mission critical issue but an "annoyance" factor.

In summary -two network cards. One local LAN to hub, other to wireless modem to ISP.
DHCP bound only to local NIC - 192.168.0.1. I've snipped out sections from
WinGate config. report below.

5.02 Network Interfaces

5.03 ---------------------------------------------

5.04 10.237.88.232 (LAN) [External] [Unsecure]

5.05 192.168.0.1 (LAN) [Internal] [Secure]

5.06 Dial Up (RAS) [External] [Unsecure]

5.07 127.0.0.1 (LOOPBACK) [Internal] [Secure]

5.08
6.50 DHCP Service (DHCP Service)

6.51 ---------------------------------------------

6.52 Session Timeout: 60

6.53 Port: 67

6.54 Startup: Manual start/stop

6.55 Binding 1: 192.168.0.1

6.56 Access Rights: Defaults: are ignored

6.57 Everyone - Restricted by request

6.58 Start/Stop Rights: Defaults: may be used instead

6.59 Edit Rights: Defaults: may be used instead

6.60
8.02 Enhanced Network Support

8.03 ---------------------------------------------

8.04 Enhanced Network Support: 5.00 Syz - Installed and active

8.05 Driver: Enabled

8.06 NAT: Enabled

8.07 Router: Disabled

8.08 Firewall level: Custom

8.09

8.10 Firewall

8.11 ---------------------------------------------

8.12 Disable network name broadcasts to the Internet: Enabled

8.13 Allow users to ping this machine locally: Enabled

8.14 Allow users to ping this machine from the Internet: Disabled

8.15 Discard spoofed packets: Enabled

[adrien]

That address that your ISP is allocating you - 10.x.y.z is defined as a private IP address.

That means WinGate DHCP will happily bind to it.

You need to go into the DHCP server in GateKeeper, and under the bindings tab, double-click on the entry in the "bound adapters" list for this interface (10.237.x.y). Then stop and start the DHCP service.

You should also go to Options->Advanced->Network Interfaces and make sure that the details for this interface are external and untrusted.

Adrien

[ChrisH]

Adrien,

Thanks for reply, but the only bound interface I have in DHCP is 192.168.0.1- there is no other choice either in "Bound" or "Available". The 10.237.xxx.xxxx interface is set to "external" and "unsecure", WG set it up that way. Anything else I might try?

[adrien]

That is very odd then.

If you turn on debug logging in the DHCP service, can you see these requests?

Also, DHCP servers do not broadcast their availability, they respond to broadcast queries (called discovery messages), but they don't advertise.

Also, make sure the OS you are on isn't running a DHCP service as well

If you see anything interesting in the log can you post it here

thanks

Adrien

[ChrisH]

I have link to DHCP log listed below. The log starts off showing requests denied because of filtering. That was changed to allow all and the requests were then looked at and finally one was allocated. Though it shouldn't have been, as the Scope for the DHCP service was setup to exclude most addresses and 192.168.0.21 is on that list. Update to that- I just checked Scopes and another new entry was added (looks like default setting) which would have allowed that address. Why was another new scope created ( I didn't create it)? Any further thoughts?

http://www.echoridge.bravehost.com/DHCPlogfile.htm

[adrien]

OK.

There is only one way I can imagine that a DHCP request received on one interface is seen on another, and that is if you have UDP broadcast relaying turned on in your ENS configuration, and have it set to broadcast port 68.

Can you check this setting? If so, make sure you dont have UDP relaying for ports 68 and 69 enabled.

Adrien

[ChrisH]

Adrien,

I can't see where you mean to check in GateKeeper, so I'm assuming you want me to check in registry. To me, it looks like relaying is turned on but only for ports 137 and 138. I'll copy registry key and post it below for you to look at. Sorry for the ads, but it doesn't cost me anything! Probably would be a good idea to enable a posting facility here in this forum - I'll mention it in the General forum. OK ... no more General forum I'll mention here then.


http://echoridge.bravehost.com/ENSkey.htm

[adrien]

Under ENS, on the routing tab in GateKeeper

[ChrisH]

Adrien,

I didn't have the Support for multiple subnetworks (router) button checked so the routing tab wasn't there. Now that it is - UDP relaying is turned on, ports 67 and 68 are NOT checked under the advanced tab, ports 137 and 138 are checked. There are no other entries. Hope that helps. Anything else?

[adrien]

I'm also finding it very odd that these are not instead being stopped by the firewall, since the connection is deemed external, and by default these ports would be blocked.

Does the wireless modem reside in the machine, or do you connect to it via the same NIC that you use for your LAN?

Adrien

[ChrisH]

Two seperate NIC's. One for LAN , one connects directly to external wireless modem. For what it is worth, I unchecked the Relay UDP Broadcast Packets and the problem seem to stop. Checking it back the requests start again. When not relaying however, it looks like the ISP DHCP server (10.237.1.1) is being blocked at firewall like what you were thinking. System message is as follows.

The Firewall has blocked a connection attempt made to 10.237.88.232:68 from 10.237.1.1:67, protocol: UDP. What next?

[adrien]

Ah

OK, I will look into the relaying code - it shouldn't relay unless the ports are set.

However, as for the firewall hits, that is the DHCP server at your ISP responding to the DHCP client on your WinGate machine.

Blocking the responses could cause problems with your IP address etc, so probably best to create a port range setting in the ENS which allows UDP port 68 from the Internet.

We don't create hash entries in our NAT for outbound broadcasts. Probably something we should add for DHCP.

Adrien

[ChrisH]

Adrien,

Thanks, I will adjust ports accordingly.